California Finalizes Regulations to Strengthen Consumers' Privacy

News:

SACRAMENTO – The California Privacy Protection Agency (CPPA) announced today that the California Office of Administrative Law has approved regulations covering cybersecurity audits, risk assessments, automated decisionmaking technology (ADMT), insurance companies, and updates to existing CCPA regulations.

The approval concludes several years of robust engagement with industry, civil society, and the public. The rulemaking process included hosting multiple hearings and reviewing hundreds of public comments, all of which were carefully considered by the CPPA Board prior to adopting the regulations.

“These rules ensure that Californians continue to have the strongest privacy protections in the country while being responsive to the realities of business implementation. I'm deeply grateful to our team and to members of the public whose contributions helped to shape these regulations,” said Jennifer Urban, Chair of the California Privacy Protection Agency Board.

“The regulations provide clarity for businesses, while ensuring strong protections for Californians,” said Phil Laird, General Counsel for the California Privacy Protection Agency. “Our goal has always been to give consumers meaningful rights and also provide practical compliance pathways for businesses.”

The regulations go into effect January 1, 2026. However, there is additional time for businesses to comply with some of the new requirements, namely cybersecurity audits, risk assessments, and requirements for automated decisionmaking technologies.

Cybersecurity Audits

Businesses required to complete cybersecurity audits must submit certifications to the CPPA by:

  1. April 1, 2028, if the business makes over $100 million;
  2. April 1, 2029, if the business makes between $50 million and $100 million; or
  3. April 1, 2030, if the business makes less than $50 million.

Risk Assessments

Businesses subject to risk assessment requirements must begin compliance by January 1, 2026. By April 1, 2028, they must submit to the CPPA:

  1. An attestation that required risk assessments were completed, and
  2. A summary of their risk assessment information.

Automated Decisionmaking Technology (ADMT)

Businesses that use ADMT to make significant decisions must comply with the ADMT requirements beginning January 1, 2027.


The final regulations and supporting materials will be posted on the CPPA website as soon as they are processed.

If you have questions, please use our Contact form.

 

ABOUT US

The California Privacy Protection Agency (CPPA) is committed to promoting the education and awareness of consumers' privacy rights and businesses' responsibilities under the California Consumer Privacy Act.

Individuals can visit privacy.ca.gov to access helpful and up-to-date information on how to exercise their rights and protect their personal information. In addition, the Agency's website provides important information about CPPA board meetings, announcements, and the rulemaking process.